QAsn1Element: Read value in blocks to avoid oom at wrong length

Fixes oss-fuzz issue 22272. Pick-to: 5.15 Change-Id: I8a49b9487f632469402c983e517e817e8e65bef7 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Robert Loehning <robert.loehning@qt.io> 2020-11-05 13:52:39 +0100
committer: Robert Loehning <robert.loehning@qt.io> 2020-11-09 16:07:01 +0000
commit: ad9ca01853e90bdbe45f7ac2e8edd75cd0862801 (patch)
tree: da320f977daef448825951627c3c7806ef52fe29 /src/network
parent: 7b1bbdb10ca1d89c9d6603e1e4baf9435a2e6ce5 (diff)
1 files changed, 13 insertions, 5 deletions
diff --git a/src/network/ssl/qasn1element.cpp b/src/network/ssl/qasn1element.cpp
index 65a0e08961..13fc095e12 100644
--- a/src/network/ssl/qasn1element.cpp
+++ b/src/network/ssl/qasn1element.cpp
@@ -120,12 +120,20 @@ bool QAsn1Element::read(QDataStream &stream)
 
     if (length > quint64(std::numeric_limits<int>::max()))
         return false;
-    // value
+
+    // read value in blocks to avoid being fooled by incorrect length
+    const int BUFFERSIZE = 4 * 1024;
     QByteArray tmpValue;
-    tmpValue.resize(length);
-    int count = stream.readRawData(tmpValue.data(), tmpValue.size());
-    if (count != int(length))
-        return false;
+    int remainingLength = length;
+    while (remainingLength) {
+        char readBuffer[BUFFERSIZE];
+        const int bytesToRead = qMin(remainingLength, BUFFERSIZE);
+        const int count = stream.readRawData(readBuffer, bytesToRead);
+        if (count != int(bytesToRead))
+            return false;
+        tmpValue.append(readBuffer, bytesToRead);
+        remainingLength -= bytesToRead;
+    }
 
     mType = tmpType;
     mValue.swap(tmpValue);
author	Robert Loehning <robert.loehning@qt.io>	2020-11-05 13:52:39 +0100
committer	Robert Loehning <robert.loehning@qt.io>	2020-11-09 16:07:01 +0000
commit	ad9ca01853e90bdbe45f7ac2e8edd75cd0862801 (patch)
tree	da320f977daef448825951627c3c7806ef52fe29 /src/network
parent	7b1bbdb10ca1d89c9d6603e1e4baf9435a2e6ce5 (diff)